Gotcha. Thanks. The only reason I got down this road is because the HDFS processors were logging
"Configuration does not have security enabled, keytab and principal will be ignored." Which is a bit vague and left me thinking i needed to run Nifi in secure mode. The processors were configured for kereberos. Still not sure what the message refers to though. Darren Sent from my Verizon, Samsung Galaxy smartphone Get Outlook for Android<https://aka.ms/ghei36> ________________________________ From: Bryan Bende <bbe...@gmail.com> Sent: Monday, December 14, 2020 1:56:01 PM To: users@nifi.apache.org <users@nifi.apache.org> Subject: Re: Secure Mode & Kerberos Ok so you are authenticating with a client cert, so this has nothing to do with kerberos. Put the DN from the client cert as the initial admin in authorizers.xml and it generates the policies in authorizations.xml for you. You likely need to delete users.xml and authorizations.xml in order for it to be a fresh setup and trigger the seeding of the initial admin. On Mon, Dec 14, 2020 at 1:51 PM Darren Govoni <dar...@ontrenet.com<mailto:dar...@ontrenet.com>> wrote: I see this error in the browser [cid:1766299c1e4cb971f161] Along with the exception in the log: Kerberos ticket login not supported by this NiFi That is just with adding the /etc/krb5.conf to nifi.properties per your suggestion. I do have a browser cert it prompted me to select. I had started to add the cert CN to authorizers.xml (i.e. add it to initial admin field), but it requires populating authorizations.xml as well and I'm not sure how to do that. ________________________________ From: Bryan Bende <bbe...@gmail.com<mailto:bbe...@gmail.com>> Sent: Monday, December 14, 2020 1:04 PM To: users@nifi.apache.org<mailto:users@nifi.apache.org> <users@nifi.apache.org<mailto:users@nifi.apache.org>> Subject: Re: Secure Mode & Kerberos I'm confused, how are you trying to authenticate to nifi and what is the error your are getting in the nifi UI when you attempt to access it? You said you didn't want to authenticate via kerberos, so the warning should not matter. On Mon, Dec 14, 2020 at 11:26 AM Darren Govoni <dar...@ontrenet.com<mailto:dar...@ontrenet.com>> wrote: > > Thanks Bryan. > > I'm seeing in AccessResource.java that it will throw this exception if spnego > is not configured or keberosService is null, which it is in my nifi. > > Doing a quick search for setKeberosService callers doesnt turn anything up in > the code. And this exception prevents me accessing the app. > > Do i need to configure anything in authorizers.xml or users.xml? > > I set the krb file in nifi.properties already. > > Darren > > Sent from my Verizon, Samsung Galaxy smartphone > Get Outlook for Android > > ________________________________ > From: Bryan Bende <bbe...@gmail.com<mailto:bbe...@gmail.com>> > Sent: Monday, December 14, 2020 11:19:28 AM > To: users@nifi.apache.org<mailto:users@nifi.apache.org> > <users@nifi.apache.org<mailto:users@nifi.apache.org>> > Subject: Re: Secure Mode & Kerberos > > That is just a warning that prints every time you refresh the UI, the > UI makes a call to see if SPNEGO is enabled, it shouldn't impact > anything, same case for OIDC. > > On Mon, Dec 14, 2020 at 10:15 AM Darren Govoni > <dar...@ontrenet.com<mailto:dar...@ontrenet.com>> wrote: > > > > When I remove the SPNEGO properties and set the krb5 file > > > > # kerberos # > > nifi.kerberos.krb5.file=/etc/krb5.conf > > > > > > 020-12-14 10:09:44,477 WARN [NiFi Web Server-19] > > o.a.n.w.a.c.IllegalStateExceptionMapper java.lang.IllegalStateException: > > Kerberos ticket login not supported by this NiFi.. Returning Conflict > > response. > > java.lang.IllegalStateException: Kerberos ticket login not supported by > > this NiFi. > > > > Also threw exception about OpenID Connect not configured. > > > > Nifi 1.11.4 > > > > ________________________________ > > From: Darren Govoni <dar...@ontrenet.com<mailto:dar...@ontrenet.com>> > > Sent: Monday, December 14, 2020 10:00 AM > > To: users@nifi.apache.org<mailto:users@nifi.apache.org> > > <users@nifi.apache.org<mailto:users@nifi.apache.org>> > > Subject: Re: Secure Mode & Kerberos > > > > Hi Bryan > > > > I did do that but still got the warning/error. But I will go back and > > verify this. > > > > Darren > > > > Sent from my Verizon, Samsung Galaxy smartphone > > Get Outlook for Android > > > > ________________________________ > > From: Bryan Bende <bbe...@gmail.com<mailto:bbe...@gmail.com>> > > Sent: Monday, December 14, 2020 9:37:33 AM > > To: users@nifi.apache.org<mailto:users@nifi.apache.org> > > <users@nifi.apache.org<mailto:users@nifi.apache.org>> > > Subject: Re: Secure Mode & Kerberos > > > > You don't need to have NiFi secured with Kerberos in order to use HDFS > > processors talking to kerberized HDFS. > > > > You just need to specify the krb5.conf in nifi.properties, and you > > need to provide the HDFS processors with a core-site.xml that has > > security set to kerberos. > > > > On Mon, Dec 14, 2020 at 9:28 AM Darren Govoni > > <dar...@ontrenet.com<mailto:dar...@ontrenet.com>> wrote: > > > > > > Hi, > > > I want to test the HDFS processors using Kerberos, but they trigger a > > > warning saying Nifi is not running in secure mode, so it ignores kerberos. > > > > > > In order to get Nifi into secure mode I had to enable SPNEGO which it > > > seems to want a kerberos header to allow me into the app now. > > > > > > Is there a way to allow processors to run securely with kerberos without > > > having to auth myself into the app via kerberos? Which I'm not sure how > > > to do. > > > > > > Darren > > > > > > PS. I do have a Apache Kerby KDC running locally if that can help me auth > > > into Nifi.
